From owner-p4-projects@FreeBSD.ORG Tue Dec 28 18:29:48 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0DD1F1065787; Tue, 28 Dec 2010 18:29:48 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C39A3106577E for ; Tue, 28 Dec 2010 18:29:47 +0000 (UTC) (envelope-from trasz@freebsd.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id AFC808FC16 for ; Tue, 28 Dec 2010 18:29:47 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id oBSITl5U005603 for ; Tue, 28 Dec 2010 18:29:47 GMT (envelope-from trasz@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id oBSITlPS005600 for perforce@freebsd.org; Tue, 28 Dec 2010 18:29:47 GMT (envelope-from trasz@freebsd.org) Date: Tue, 28 Dec 2010 18:29:47 GMT Message-Id: <201012281829.oBSITlPS005600@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to trasz@freebsd.org using -f From: Edward Tomasz Napierala To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 187258 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2010 18:29:48 -0000 http://p4web.freebsd.org/@@187258?ac=10 Change 187258 by trasz@trasz_victim on 2010/12/28 18:29:43 Fix per-jail rules storage. Affected files ... .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#101 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_jail.c#27 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/jail.h#16 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#101 (text+ko) ==== @@ -949,6 +949,9 @@ error = ui_container_foreach(hrl_rule_remove_callback, filter, (void *)&found); KASSERT(error == 0, ("ui_container_foreach failed")); + error = prison_container_foreach(hrl_rule_remove_callback, filter, + (void *)&found); + KASSERT(error == 0, ("prison_container_foreach failed")); sx_assert(&allproc_lock, SA_LOCKED); FOREACH_PROC_IN_SYSTEM(p) { @@ -1210,6 +1213,7 @@ mtx_lock(&hrl_lock); loginclass_container_foreach(hrl_get_rules_callback, filter, sb); ui_container_foreach(hrl_get_rules_callback, filter, sb); + prison_container_foreach(hrl_get_rules_callback, filter, sb); mtx_unlock(&hrl_lock); if (sbuf_error(sb) == ENOMEM) { sbuf_delete(sb); ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_jail.c#27 (text+ko) ==== @@ -4252,6 +4252,28 @@ SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +#ifdef HRL +int +prison_container_foreach(int (*callback)(struct container *container, + const struct hrl_rule *filter, void *arg3), + const struct hrl_rule *filter, void *arg3) +{ + int error; + struct prison *pr; + + sx_slock(&allprison_lock); + TAILQ_FOREACH(pr, &allprison, pr_list) { + error = (callback)(&pr->pr_container, filter, arg3); + if (error != 0) { + sx_sunlock(&allprison_lock); + return (error); + } + } + sx_sunlock(&allprison_lock); + + return (0); +} +#endif #ifdef DDB ==== //depot/projects/soc2009/trasz_limits/sys/sys/jail.h#16 (text+ko) ==== @@ -341,6 +341,8 @@ struct mount; struct sockaddr; struct statfs; +struct container; +struct hrl_rule; int jailed(struct ucred *cred); int jailed_without_vnet(struct ucred *); void getcredhostname(struct ucred *, char *, size_t); @@ -383,6 +385,9 @@ char *prison_name(struct prison *, struct prison *); int prison_priv_check(struct ucred *cred, int priv); int sysctl_jail_param(struct sysctl_oid *, void *, int , struct sysctl_req *); +int prison_container_foreach(int (*callback)(struct container *container, + const struct hrl_rule *filter, void *arg3), + const struct hrl_rule *filter, void *arg3); #endif /* _KERNEL */ #endif /* !_SYS_JAIL_H_ */